GDPR Brexit Review

The General Data Protection Regulation was set to be in place by May 2018. However due to the 2016’s referendum where the UK public voted out of the European Union, this will now influence how the government works with the GDPR. Once Article 50 completes, UK Datacenters will no longer be under EU jurisdiction and therefore will not need to comply with EU data protection rules. While many UK businesses will not be concerned over the GDPR, a vast majority of business’s who work inside and outside of the UK will have concerns of potential impact on the services they provide. The Information Commissioner’s Office (ICO) are in talks with the government to put forward their view that “reform of UK data protection law remains necessary”. With digital communication and functions being such an integral part of day to day life, it’s important that every step is taken to ensure protection for organizations and their clientele.

Article 50 is believed to be a 2 year process at the very least, and is unlikely to be initiated before we are well into 2017. As the GDPR is expected to be rolled for May 2018, its rules and regulations will have to be met by UK businesses and more specifically and more relevant to us and our customers, UK datacentres. Furthermore going forward any UK businesses which market and provide services to European countries will still have to comply GDPR legislation regardless of Article 50 having gone through. Karen Bradley, the UK secretary of state for culture, media and sport, said: “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public”. The adoption of GPDR at brexit is with the intention for all EU laws and legislation incorporated into UK law at the point of exit.

So, how does the GDPR compare to the Data Protection Act. Well, the GDPR and DPA both apply to personal data. The GDPR goes a step further than the DPA in that their definition of personal data is broader, for example it will class an individual IP address as personal data. The GDPR will apply to both auto AND manual filing systems. The GDPR also expands on sensitive personal data by including genetic, cultural, biometric and even mental health data as protected information. Other directives include people having the right to their data being erased (known as ‘right to be forgotten’) when and if they decide to do so. Businesses will also be expected to provide details on what data they are using and what they are using said data for. Penalties for breaching compliancy are more significant compared to the DPA’s policy. With fines of up to 4% of annual turnover or 20 million Euros (whichever is greater)this could prove devastating to many businesses who haven’t planned ahead.

Now is the time to for those companies confused around the GDPR to research and check their current level of compliancy. VooServers will be keeping a close eye on both our own national DPA as well as the GDPR to make sure that across all our services we deliver consistent data protection rights and laws for our clients from wherever they are based. It is very likely that the next few years will be heavily influenced by the GPDR and the risks associated with not following the protocol is too significant to ignore, and therefore early compliancy is key to preparation.